CIS delivers free resources for cybersec professionals

Richard Comeau – Center for Internet Security

The Center for Internet Security, or CIS, is a not-for-profit body based in the US that was established in 2000. They provide benchmarks that are consensus based configuration guides created by experts on different technologies. These are configuration settings that can be used by anyone to assist with hardening their systems.

CIS has global contributors. Richard Comeau, from CIS told us members of Australia’s DSD have been involved, having contributed to several guides. A number of Australian banks, universities and telcos are members of CIS.

The guides are provided for free in PDF format to the public. However, paid up members of CIS can access security automation content. As well as covering traditional on-premises deployments, they also produce guides for major virtualisation platforms as well as cloud services.

One of the newer standards they are working on is for Hadoop – this is a direct reaction to lack of hardening information in the market according to Comeau.

“So, they can access those benchmarks but in machine-readable format,” says Comeau. These are in SCAP format – an open source format that was originally developed by the NSA and NIST. The benchmarks, when ingested by a device or system, are then checked against the existing configuration and provide a report of what changes should be made to harden the system.

In addition the benchmarks, CIS also operates a Security Operations Centre, working with the Department of Homeland Security. This involves monitoring firewalls, IPS and other devices for a number of state and local governments in the US as well as some utilities and other critical infrastructure. In addition, CIS works with a number of other government and statutory authorities on threat monitoring and assessment.

“We really do have the threat and information sharing tools and we use a lot of that information for what we prescribe in the benchmarks. We see certain vulnerabilities and configuration issue that are being exploited. That helps inform how were putting together [our tools],” says Comeau.

Incredibly, CIS manages all of this with a team of fewer than 100 people.

A recently launched CIS service has been the deployment of pre-hardened virtual machines on Amazon’s EC2 platform. Coemau told us CIS is selling these services to non-members but, in keeping with their not-for-profit status, they are doing this cost effectively at $0.02 per additional compute hour.

Through his observations, Comeau says picking off the low hanging fruit can mitigate many significant risks. Regular patching and only giving users the system privileges they need are often either overlooked or their importance is understated. One of the statistics bandied the RSA Conference this year was Microsoft patched the most exploited vulnerability of 2014 in 2010.

Another challenge, says Comeau, is where business process often wins out over cyber-hygiene. For example, links between systems might be desirable for business reasons but can introduce risks that allow bad actors with a compromised account to move laterally between seemingly unrelated systems.

Given the complexity and scale of systems today, even those used by SMEs, Comeau says it’s imperative to look at using automation in order to properly secure systems.

Every OS has so many prescribed configuration settings to make it a baseline hardening level. You can’t do that all by hand. We put the standards out as guidance documents but we make our memberships cost effective and put the automation tools out there”.

Anthony Caruana attended RSA Conference as a guest of Symantec.

Join the CSO newsletter!

Error: Please check your email address.

Tags DSDcybersec professionalsCISRichard Comeau#RSAChadoopSecurity Operations CentretelcosrsaCenter for Internet SecurityAnthony CaruanaAnthony Caruana

More about IPSMicrosoftNSARSASymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts